Quoting hell

In a comment on a recent post,
Bob pointed out that the title (which has an apostrophe)
acquired a backslash in the comment form. He politely asked,

Bug?

I refrained from answering sarcastically, “No, I like the extra backslash. Doesn’t it make me look cool?”
In any case, I have now fixed the bug. It took me on a renewed tour of the travesty that is
magic quotes, and led me to find a number of places I wasn’t
doing quoting properly. I have strings passing from cookies, to PHP, to SQL,
to HTML or JavaScript embedded in HTML, and finally back
to cookies again. There are many handoffs between different quoting regimens, and that means lots of
chances to do it wrong.

I think I finally have it nailed, but then again, I thought that last time...

Comments

Back when I was writing my own blog software, I ran into the same problem(s). They became particularly acute when I added comment preview, which involves carrying the comment text through multiple POSTs adding and removing backslashes all the while. It was practically impossible to cover all of the cases. Some would say it's actually impossible; PHP forums are full of complaints about this very issue, along with dozens of (mostly incomplete or broken) workarounds. In the end that was one of the reasons I switched to WordPress and made it somebody else's problem. I simply have a lot better things to do with my time.

While we're on the subject, your email-address filter still gets me every time. It doesn't like @pl.atyp.us (have to use @atyp.us instead), then it turns "@" to "(at)" and "." to "(dot)" during preview but won't accept the result coming back. I still end up having to change my email address by hand (twice!) every time I comment here.

Isn't PHP great, just when you think it's helping you it's actually stabbing you in the knee with a frozen eel. Just add in a dose of addslashes, stripslashes, nl2br, urlencode, utf8_encode, htmlentities, rawurlencode, convert_encoding, mysql_escape_string, mysql_real_escape_string, htmlspecialchars, htmltranslationtable, quoted_printable_decode and the various combinations of the ini settings that change the behaviour (which may be set in the php.ini filem the apache flle, the local directory, compiled in or just set manually) and then switch error reporting off.

:-D

Add a comment:

Name:

Email:

Ignore this:

Leave this empty:

Web site:

Name is required. Either email or web are required.
Email won't be displayed and I won't spam you.
Your web site won't be indexed by search engines.